A researcher has found a critical remote code execution flaw in APT Package manager that was used by many popular Linux distros like Ubuntu, Debian, and many others.

Max Justicz discovered the vulnerability (CVE-2019-3462) that resides in the APT package manager which allows a network man-in-the-middle to execute arbitrary code as root on a machine installing any package. However, the bug has been now fixed in the latest package and patched were also been released.

On the blog post, Justicz, guide about the protection of user by simply disabling HTTP redirects while you update. To do this, just run the following command -sudo apt update -o Acquire::http::AllowRedirect=false
sudo apt upgrade -o Acquire::http::AllowRedirect=false

Moreover, a detailed advisory has also been published by the Debian team which reads-

The code handling HTTP redirects in the HTTP transport method doesn't properly sanitize fields transmitted over the wire. This vulnerability could be used by an attacker located as a man-in-the-middle between APT and a mirror to inject malicious content in the HTTP connection. This content could then be recognized as a valid package by APT and used later for code execution with root privileges on the target machine.

A researcher has also shown a POC demonstration where an attacker intercepting HTTP traffic between APT utility and a mirror server, eventually could execute arbitrary code on the targeted system with the highest level of privileges, i.e. root.

The RCE bug has been fixed today in the APT 1.2.29ubuntu0.1, 1.7.0ubuntu0.1, 1.0.1ubuntu2.19, and 1.6.6ubuntu0.1 packages, as well as in APT 1.4.9 for the Debian distribution.